WordPress powers millions of websites — including healthcare websites that collect, process, or transmit protected health information (PHI). As HIPAA enforcement expectations increase heading into 2026, many organizations are asking a critical question:
Is WordPress HIPAA compliant?
If you’re evaluating whether your current WordPress setup meets HIPAA expectations heading into 2026, a HIPAA risk assessment can help identify gaps early — before they turn into audit findings or breach issues.
→ Review your WordPress compliance risk
The answer is yes — but only under specific conditions.
WordPress itself is neither HIPAA compliant nor non-compliant. HIPAA compliance depends entirely on how WordPress is hosted, secured, configured, and maintained, as well as how PHI flows through the broader technology environment.
In 2025, the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) updating the HIPAA Security Rule. While the core structure of HIPAA remains the same, the proposed changes raise expectations around technical safeguards, documentation, and accountability — particularly for web-based platforms like WordPress.
Important: This article references HHS’s 2025 proposed HIPAA Security Rule updates. Final requirements are expected in 2026 and may change. Organizations should prepare now rather than wait for enforcement deadlines.
Is WordPress HIPAA Compliant?
WordPress can be used in HIPAA-regulated environments, but it is not compliant by default.
A WordPress site may support HIPAA compliance only if it is hosted with a provider that signs a Business Associate Agreement (BAA), secured with required safeguards, and continuously maintained under the HIPAA Security Rule.
As discussed on the HIPAA Insider Show, this distinction is often misunderstood:
“WordPress itself isn’t the problem,” Gil explained.
“It’s what you do with it — or don’t do with it — that determines whether you’re exposed.”
If you’re unsure whether your hosting, plugins, or access controls align with HIPAA expectations, it may be worth getting a second set of eyes.
→ Request a HIPAA WordPress environment review
What Changed for HIPAA and WordPress Heading Into 2026
The most important shift affecting WordPress users is how HIPAA security safeguards are evaluated and enforced.
Historically, the HIPAA Security Rule classified many safeguards as “addressable,” allowing organizations flexibility in how — or whether — they implemented them, as long as decisions were documented.
Under the 2025 proposed updates:
- Flexibility still exists on paper
- Justifying non-implementation is becoming far more difficult
- Enforcement increasingly treats safeguards as baseline expectations
As Gil summarized:
“What used to be a recommendation or something that would be nice to have is becoming a mandate. It’s no longer ‘if you can do it.’ Now it’s ‘you have to do it.’”
For WordPress users, this matters because healthcare sites often rely on third-party plugins, cloud infrastructure, and integrated services that expand the compliance surface area.
According to HHS, the HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI) through administrative, technical, and physical safeguards.
The Three Technical Requirements WordPress Sites Can’t Ignore
Based on the proposed rule and existing enforcement patterns, three technical areas stand out as non-negotiable.
1. Multi-Factor Authentication (MFA)
Single-factor logins are no longer sufficient for systems that access PHI.
MFA should be enforced for:
- WordPress administrator accounts
- Hosting and cloud dashboards
- Any system with access to electronic PHI (ePHI)
MFA is increasingly treated as a baseline expectation rather than an optional control.
→ See how HIPAA-compliant WordPress hosting supports MFA and access controls
2. Encryption Beyond “Just HTTPS”
Encryption expectations extend well beyond having an SSL certificate.
Organizations must account for:
- Encryption in transit (HTTPS)
- Encryption at rest (databases, backups, storage)
- Protection of PHI when systems are powered on
3. Vulnerability Scanning and Penetration Testing
The proposed HIPAA updates introduce explicit expectations for testing:
- Vulnerability scanning: at least every six months
- Penetration testing: annually
For WordPress sites, this is especially important because outdated or misconfigured plugins remain the most common attack vector.
→ Learn how HIPAA penetration testing applies to WordPress sites
Business Associate Agreements Are No Longer “Set It and Forget It”
WordPress sites often rely on multiple vendors, including:
- Hosting providers
- Form and scheduling plugins
- Backup, security, and email services
Under the proposed rule:
- Covered entities must obtain annual written confirmation that business associates have implemented safeguards
- Breach notification timelines are tightening, potentially to 24 hours after activating a contingency plan
“You can’t just sign a BAA and forget about it anymore,” Gil noted.
“You have to actively confirm your partners are doing what they say they’re doing.”
If you’re unsure whether your vendors or plugins require updated BAAs, it’s better to clarify now than under audit pressure.
→ Talk to a HIPAA compliance specialist
Standard WordPress Isn’t HIPAA-Compliant. This One Is.
Never lose sleep over fines. We handle security updates, backups, and compliance monitoring so you can focus on patients. Includes free SSL and migration.
Learn MoreWhat Still Matters: WordPress Isn’t the Problem
Despite the changes, one thing hasn’t changed:
WordPress itself is not prohibited under HIPAA.
“WordPress is like a house,” Gil explained.
“You can move in and hope nothing happens, or you can lock the doors and install alarms.”
WordPress does not sign BAAs — and never has — but compliance depends on:
- Who hosts the site
- Whether a BAA is in place
- How security controls are implemented and monitored
→ Explore HIPAA-compliant WordPress hosting options
A New 2026 Priority: Asset Inventory and Data Flow Mapping
The proposed rule places renewed emphasis on technology asset inventories.
Organizations must be able to identify:
- Every system where PHI is stored
- Every pathway PHI travels through
- Every vendor involved in that process
“Even a back-of-the-napkin diagram is better than nothing,” Gil said.
“You just need to know where your data lives.”
If you haven’t formally documented this yet, a structured assessment can help establish a baseline.
→ Start with a HIPAA risk assessment
Administrative Controls Still Matter (Even If They’re Boring)
Most WordPress breaches don’t happen because WordPress itself is insecure.
They happen because:
- Plugins aren’t updated
- Themes are abandoned
- Security patches are ignored
Outdated plugins remain one of the most common and preventable sources of WordPress-related healthcare breaches.
Two Immediate Actions WordPress Users Should Take Now
HIPAA enforcement ultimately holds owners and executives accountable, not just IT staff.
“If something goes wrong, they don’t sue your technical staff — they sue you,” Gil emphasized.
Two practical steps organizations can take immediately:
- Document your digital assets — everywhere PHI lives or moves
- Enforce MFA everywhere — no exceptions
Once documented, compliance becomes manageable. What creates risk is not complexity — it’s invisibility.
Frequently Asked Questions About WordPress and HIPAA
Prepare Now, Not Later
HIPAA compliance for WordPress in 2026 is less about new tools and more about higher expectations.
WordPress can still be used safely — but only when:
- Hosting is HIPAA-compliant
- BAAs are current and enforced
- Security controls are documented, tested, and maintained
“This isn’t something you set and forget,” Gil said.
“It’s more like taking out the trash — you just have to do it regularly.”
Preparing now is significantly easier than responding under audit pressure later.
→ Start with a HIPAA risk assessment for your WordPress site
